Something shifted in late 2025 that I don't think our industry has fully reckoned with yet.
When frontier AI models crossed a new capability threshold towards the end of last year – developing the kind of ability that lets nearly any adversary generate working exploit code, craft convincing social engineering at scale, and chain attacks that cross security product boundaries autonomously – the threat landscape didn't just evolve. It accelerated into a different category entirely.
The speed, scale, and scope of attacks all shifted in the adversary’s favor simultaneously. Intrusions that used to unfold over days and hours now play out in minutes and seconds. The multi-stage campaigns that once required nation-state resources are now accessible to almost anyone. And every AI agent, every automated workflow an organization adopts to become more productive, quietly gifted adversaries a new attack surface at the same time.
I've been watching this unfold and thinking hard about how to respond to it. And I keep arriving at the same conclusion: the defense most organizations rely on today was built for a different threat. Not just an older one. A structurally different one.
When attacks move at machine speed, the organizations that thrive aren't the ones with the most products. They're the ones whose defense gets smarter every time it encounters a threat, and passes that intelligence to every other customer in the system.
The stack problem
For 40 years, the cybersecurity industry had a reliable playbook: every new threat category became a new product. New threat, new tool. New gap, new vendor. The result? The average enterprise today manages more than 45 separate security products.1
The problem with that number isn't the cost and complexity, though that's real too. It's what happens to intelligence when it's fragmented across 45 silos. The endpoint doesn't know what the firewall saw. The email gateway doesn't tell the identity layer what it caught. Every tool learns alone. Nothing builds on what came before.
When attacks move at machine speed and execute across endpoint, cloud, identity, network and email in one coordinated push, a defense that correlates those signals manually – if it correlates them at all – isn't a defense. It's a very expensive post-mortem.
The stack model assumes a human analyst can connect the dots across those 45 tools fast enough to matter. In the old world, built on a slower and structurally different threat, that approach was serviceable. It isn't tenable anymore.
SIEM and XDR were the right instincts
Give the industry credit. It didn't just name the fragmentation problem; it built two technologies to solve it: SIEM and XDR. SIEM set out to pull every log into one place. The first wave of XDR set out to correlate detections across tools.
Both were the right instinct. Both are real capabilities. In fact, both are essential components of a defense system, and Sophos delivers them today. But here is what a decade of deployment made clear: neither one alone, nor both together, reaches the capability set the moment now demands.
SIEM aggregates data after the fact. It collects logs from products that are still strangers to each other, then asks an analyst to make sense of the pile. Early XDR correlated alerts, but only across the tools a single vendor happened to own, and only after each tool had already decided, alone, what mattered. Aggregation is not architecture. Pulling data into a shared window does not make the sources aware of each other, and it does not let them act as one.
A defense system is different in kind, not degree. SIEM and XDR live inside it as capabilities, not as the ceiling of what the system can do. The control points share one data layer from the moment a signal is born, not after it lands in a warehouse. They inform each other's decisions in real time, not in a report an analyst reads later. That is the line between collecting intelligence and operating on it. SIEM and XDR collect and correlate. The defense system acts.
The real capability gap
With ~359 million businesses in the world, fewer than 35,000 have a CISO or security leader in place. 35,000 have a CISO. That ratio — one CISO for every 10,000 organizations — is at the heart of why the industry has failed to keep pace with the threat.
The cybersecurity poverty line is what happens when organizations can't convert their security technology into functional defense. It's not defined by size or budget alone. I've seen well-funded organizations sitting well below it, and 200-person regional companies running well above it.
It's defined by strategic capability: the ability to set up controls correctly, monitor them continuously, measure whether they're working, and improve over time.
AI made that gap both more dangerous and, for the first time, genuinely closable. More dangerous because attackers adopted it instantly, an immediate, free upgrade. Closable because the same AI capabilities that accelerate attacks can also accelerate defense if it's built as part of the architecture and not bolted on as a feature.
Introducing Sophos Fusion
Today, we're announcing Sophos Fusion, the industry's most complete AI-native cybersecurity defense system.
Sophos Fusion is the evolution of what in the industry we've called Platforms. It’s a single, open architecture where every control point — endpoint, firewall, email, cloud, network, identity, and security operations, and more — shares the same data, the same intelligence, and responds as one.
What makes that different from the platforms our competitors sell is the architecture underneath:
A unified context lake, where every signal from every control point flows into one shared data layer in real time. No aggregation delay. No silo. The entire system sees what any individual part sees.
Synchronized Security™ is the connective tissue that transforms shared insights into coordinated response. A detection at the endpoint triggers a coordinated response at the firewall, a compromised identity locks down access across the environment, and a suspicious email raises the scrutiny level everywhere else. Detection anywhere, response everywhere.
Agentic autonomy with human judgment. The system can detect, investigate, and respond without waiting for a human, operating inside boundaries that our MDR analysts set and continuously calibrate. This isn't automation replacing human ownership. It's AI reasoning about novel situations, with humans governing the trust boundary.
Compounding intelligence. Every threat seen across more than 625,000 defended organizations by Sophos feeds back into the system. A new customer doesn't start from zero; they inherit the benefit of every threat the system has ever seen.
We're also clear about what it isn't: a closed system. More than 500 third-party integrations feed the same shared data layer. Threat telemetry from a customer's existing endpoint, firewall, or identity tools from a vast number of vendors flows into the same context lake as the insights from their Sophos solutions, the same correlation engine, and the same MDR team. Native where it matters. Open where the customer needs it to be.
The evolution of Sophos Central
Sophos Fusion is the evolution of Sophos Central, rearchitected for the AI era. All Sophos customers are already part of Sophos Fusion and already benefit from unmatched protection from threats that move at machine speed. Over the coming months, users will see Sophos Central evolve to Sophos Fusion in the interface as we roll out the naming, with no action required of customers or partners.
Proof in our own operation
Sophos runs the world's largest agentic SOC on Sophos Fusion. 52% of cases are handled entirely by AI, with no human required. The average time from alert to a fully automated response is 89 seconds. We're not measuring MDR response time in minutes anymore. We're measuring it in seconds.
The market is validating what we've built as well. In the G2 Summer 2026 reports — based entirely on verified customer reviews — Sophos ranked number one across endpoint, EDR, XDR, MDR, and firewall in a single season. No other vendor has done that across all five categories simultaneously.
Sophos is also the only vendor recognized as a Gartner® Peer Insights™ Customers’ Choice across Email Security, Endpoint Protection Platforms, Managed Detection and Response, Extended Detection and Response, and Network Firewalls. These recognitions reflect what matters most: customers consistently choosing Sophos to protect, detect, and respond across their entire cybersecurity environment.
What's coming
Sophos Fusion is available now, and we're expanding the system significantly over the coming months.
From mid-August we’ll release major enhancements to the Sophos MDR service, significant expansion of Sophos XDR powered by Secureworks Taegis analytics, and a new Next-Gen SIEM offering.
Sophos Next-Gen SIEM deserves particular attention: it's priced by users and servers rather than data volume, which eliminates the perverse incentive that leads security teams to limit the telemetry they ingest and deliberately leave blind spots in their coverage or face runaway costs.
In October, two more capabilities arrive. Sophos AI Defense gives organizations visibility, control, and protection over every AI tool in their environment, including shadow AI, built on capabilities already inside the system. And Sophos CISO Advantage scales CISO-level guidance to every organization, with or without a CISO, delivering continuous control validation, compliance mapping, peer benchmarking, and executive-ready risk assessment. For the organizations below the poverty line that have never had access to that kind of strategic capability, it transforms what's possible.
A defense that compounds
For decades, the industry told customers that more tools meant better security. The AI era exposed the lie of that assumption completely. The advantage belongs to organizations with a coordinated defense that sees every signal, learns from every threat, and responds as one.
That requires a fundamentally different architecture, one that the majority of leading cybersecurity providers have failed to construct in full.
Sophos Fusion is the architecture we spent years building toward. The AI era made it necessary. The work we've done, from our award-winning product capabilities to the Secureworks acquisition and the agentic SOC we run today, made it possible.
The stack had a good run. What comes next is a system.
Disclaimer
Gartner® Peer Insights™ content consists of the opinions of individual end users based on their own experiences, and should not be construed as statements of fact, nor do they represent the views of Gartner® or its affiliates. Gartner® does not endorse any vendor, product or service depicted in this content nor makes any warranties, expressed or implied, with respect to this content, about its accuracy or completeness, including any warranties of merchantability or fitness for a particular purpose.
GARTNER® and PEER INSIGHTS™ are trademarks of Gartner, Inc. and/or its affiliates.
1Gartner, “Tech FutureSight: Protect the Global Attack Surface With an Autonomous Cyber Defense System,” Neil MacDonald, 12 December 2025.
